Sample carrier unit having sample data encryption and method for use thereof

ABSTRACT

A sample carrier unit ( 100 ), in particular for biological samples, is described which comprises a sample uptake unit ( 10 ) which is equipped for taking up at least one sample, a data storage unit ( 20 ) which is equipped for the storage of sample data that relate to the at least one sample, and to a key storage unit ( 30 ) having at least one key store ( 31, 32, 33 ), wherein the key storage unit ( 30 ) is equipped for storing key data in the at least one key store ( 31, 32, 33 ). At least one key store ( 31, 32, 33 ) of the key storage unit ( 30 ) can be arranged so as to be separable from the sample carrier unit ( 100 ). In addition, a data processing unit ( 200 ) which is configured for coupling to the sample carrier unit ( 100 ) and a method for processing sample data are described, which sample data are encrypted using at least one cryptological key which is stored in the key storage unit ( 30 ).

The invention relates to a sample carrier device, in particular forbiological samples, with a sample receiving device that is adapted toreceive at least one sample, and with a data storage device that isadapted to save data that relates to at least one sample. In addition,the invention relates to a data processing device that is adapted fordata exchange with the sample carrier device. In addition, the inventionis a method for processing sample data, in particular from biologicalsamples, while using the sample carrier device. Applications of theinvention are available with handling samples, in particular, biologicalsamples, e.g. with extraction, processing, storage and/or preservationof biological samples. The invention allows, in particular, reversibleor irreversible anonymization and/or authentication of samples.

With the development of biosciences such as biochemistry, biomedicine orbiotechnology and medical diagnostics, there is an increasing need forbiological samples (biological organisms or parts thereof, e.g. tissue,tissue parts, body fluids, cells or cell components) and the associatedsample data are generated or processed while extracting, processing,storing or preserving the samples. Application scenarios for biologicalsamples differ with regard to the number of samples, duration of use,duration of storage and/or the complexity of the sample data, whereinthere are important aspects in the safety and reproduction capability ofthe handling of samples, e.g. maintaining certain storage conditions,identifying samples and traceability of samples with regard to thesource of the sample or application conditions.

It is generally known to store sample data, e.g. for identification ordocumentation purposes in a data storage which is directly andphysically connected to the sample (e.g. U.S. Pat. No. 6,931,864).Sample carrier devices that physically connect a sample receiving deviceand a data storage device allow a complete and unmistakable descriptionof the sample independent of its current location or databaseconnection. The connection of the sample data with the sample can,however, also be disadvantageous if sample data or parts of are to beonly limitedly available.

Thus, sample data in human medicine can contain person-related dataabout a donor or a patient, wherein this data is significant forhandling or evaluating the samples but, however, for ethical or legalreasons, it must be treated with strict confidentiality. For example,samples must be reliably anonymized before they are transferred toresearch institutes or laboratories in order to protect the personalprivacy rights of the donor. For laboratory analyses or clinicalstudies, however, there may be an interest in reconnecting e.g.measuring results retroactively with person-related data, for instanceif, after a longer storage period, new medical knowledge allows for animproved treatment of the affected person. There is therefore interestin irreversibly anonymizing or reversibly anonymizing (or:pseudonymisation) samples.

It is known from practice, for anonymizing sample data, not to store allof the complete person-related data, but instead, to store onlyinformation for identification. To reversibly anonymize the samples, theidentification information can be stored separately from the sample,manually or electronically with the corresponding person-related data.Additional data that is gathered after taking the sample can also beanonymized and stored separately from the sample. According to anotherknown approach from practice, the data can be anonymized by deletingperson-related data or software-based suppression of person-related datawhen reading sample data.

The conventional anonymization methods have a number of disadvantagesthat affect, in particular, the permanent storage of samples, e.g. in acryopreserved state. Thus, the conventional use of the identificationinformation requires a separation of information from the sample, thus acomplete and unmistakable description and documentation of the sample isno longer guaranteed. The assignment of the identification informationto the separately stored data (so-called “mapping”) which, if needed,has to be realized using manual data processing, results in a high workexpenditure and high risk of error. The reliable restoration ofinformation in the reversible anonymization cannot be securelyguaranteed by mapping in long-term storage, e.g. for years. Finally, thereliable, physical deletion of electronically stored informationrequires high expenditure, which has a negative effect, in particular,when handling a large number of samples.

From DE 102 06 396 A1, it is known that in addition to a patient'ssample data, biometric key data is also stored that is specific to thepatient. The biometric key data is acquired from the sample and storedtogether with the sample data in a data set, however anonymization ofthe sample data is not possible. Additional methods for processingbiometric data are known from U.S. 2004/0162987 A1 and WO 2005/064325A2, wherein, however, they also have disadvantages with regard to theoptions for reliable anonymization or pseudonymization of data.

The aforementioned disadvantages not only arise in human medicine, butalso in other applications for biological or non-biological sampleswhen, e.g. samples are to be exchanged between different laboratoriesfor testing purposes and associated sample data needs to be keptconfidential.

The objective of the invention is to provide an improved sample carrierdevice that is adapted for receiving samples and storing data with whichdisadvantages of conventional sample carrier devices are avoided. Thesample carrier device is to be suitable for an irreversible orreversible anonymization with less expenditure, more reliability and/orincreased long-term stability. An additional objective of the inventionis to provide a data processing device that is configured for couplingwith the improved sample carrier device. The objective of the inventionis also to provide an improved method for processing sample data bymeans of which disadvantages of conventional techniques are overcome.

The objectives of the invention are solved by a sample carrier device, adata processing device and a method, resp., with the features of theindependent claims. Advantageous embodiments of the invention resultfrom the dependent claims.

According to a first aspect of the invention, the aforementionedobjective is solved by a sample carrier device, which is provided with asample receiving device and a data storage device. The sample receivingdevice is configured to receive at least one sample, in particular atleast one biological sample. It comprises at least one samplereceptacle, e.g. in the form of a closable container or a carriersubstrate. The data storage device is adapted for storing sample data,which relate to the at least one sample. The data storage devicecomprises at least one data storage (data memory) that is adapted forstoring the sample data.

According to the invention, the sample carrier device is also providedwith a key storage device that has at least one key storage (keymemory). The key storage device and the data storage device are twocomponents provided on the sample carrier device. The key storagedevice, which is provided as a separate component additionally to thedata storage device, is adapted for storing key data in the at least onekey storage. The key data comprises at least one cryptological key thatcan be used for cryptological data encryption, in particular forcryptological encryption of the sample data or a part thereof.

The cryptological encryption can comprise immediate encryption of sampledata itself and/or encryption of additional data. When encryptingadditional data, variants of the invention are provided in which the keyis not directly stored in the key storage device, but information forgeneration or use of keys stored elsewhere. For example, the key storagedevice can be used to store information required to generate a temporarykey (or so-called session key) with which the encrypted data can bedecrypted. Furthermore, the key storage device can be used to storeinformation which, supplemented by information on the recipient side(e.g. recipient's key), can be used for generating such a session key orfor direct decryption. The key storage device can also be used to storea confidential, sample-specific number (PIN) or a password forencrypting or decrypting with the help of a key stored in the datastorage device.

According to the invention, the sample data stored in the data storagedevice can be fully encrypted. Alternatively, it is possible to encryptonly parts of the sample data. For example, for applications in humanmedicine, the encryption can be limited to personal data (data thatcharacterize the sample donor and/or features thereof). For otherapplications, the encryption can be limited to confidential data that isrelated e.g. to the composition of the sample or its creation. In thefollowing, when reference is generally made to encrypting the sampledata, this can refer to both variants for encrypting the complete sampledata or a part of it.

Advantageously, with the sample carrier device according to theinvention, a combination of at least one sample, associated sample dataand key data is created, wherein the sample data is stored encrypted inthe data storage device and, using the key data, can be decrypted andread. By storing the encrypted sample data, unauthorized access to thesample data can be prevented. The encryption allows for the at least onesample to be anonymized without deleting sample data or having to storeit separately from the sample carrier device. Furthermore,advantageously, the anonymization and optional re-identification ofsamples is possible with high speed and very easy. The sample carrierdevice according to the invention is suitable for application withestablished data structures and with permanent processes, e.g. forhandling and/or storing the samples for several years, in particular forcryopreservation of the samples.

According to a second aspect of the invention, a data processing deviceis provided that is configured for coupling with the sample carrierdevice in accordance with the first aspect of the invention. The dataprocessing device comprises a read-write device with which the key datain the key storage device of the sample carrier device can be read and acryptological processor, which is connected with the read-write deviceand which is configured to decrypt and/or encrypt sample data using thekey data. The data processing device has a data connection e.g. via awireless or wired interface via which the encrypted sample data can besaved to or read from the data storage device of the sample carrierdevice coupled with the data processing device.

Advantageously, with the data processing device a compact, structurabletool is created that is suitable for quickly storing and quickly readingencrypted data that is particularly suitable for automated handling ofsample carrier devices.

According to a third aspect of the invention, a method for processingsample data is provided with which the sample carrier device inaccordance with the aforementioned first aspect of the invention isused. According to the invention, the sample data or a part of it isencrypted using the key data, in particular the at least onecryptological key, which is contained in the key data and stored in thekey storage device, and the encrypted sample data is stored in the datastorage device of the sample carrier device. Advantageously, the methodaccording to the invention can be combined with conventional methods forthe primary generation of sample data and the further processingthereof, e.g. amending, reading, updating and monitoring.

According to a fourth aspect of the invention, a method is provided forauthenticating a work station, e.g. within an area for sample processingin relation to a sample carrier device, e.g. by using a work station keyfor certain data sets, wherein the sample carrier device according tothe aforementioned first aspect of the invention is used. At the workstation, the data processing device in particular in accordance with thesecond aspect of the invention can be used as a reading device.

Furthermore, an authentication of a sample carrier device can beprovided, wherein a signature key (“digital signature”) is stored. Anasymmetrical method can be realized, wherein a sample source signs thesample in an area of sample generation with a private key that is knownonly to the sample source, and the signature can be verified with apublic key.

Advantageously, according to the invention, the encrypted sample datacan be protected from unauthorized access, although the key storagedevice with the key data at least when entering the sample in the samplecarrier device and during the primary generation of sample data and,optionally, also during the further processing of the sample carrierdevice is fixedly connected with the sample carrier device. For example,the cryptological system on which the encryption and decryption of thesample data is based can work with an asymmetrical key, of which a first(public) portion is saved in the key storage device and a second(non-public) part is kept confidential by users of the sample carrierdevice. Alternatively, the cryptological system can work with asymmetrical key, wherein, however, the access to the cryptological keyin the key storage device can be password protected.

Alternatively, according to a preferred and especially advantageousembodiment of the invention, it is possible to separate at least one keystorage of the key storage device from the sample carrier device. Inthis embodiment of the invention, a physical separation of the at leastone key storage from the sample carrier device, in particular from thesample receiving device, the data storage device and/or a housingthereof is provided, wherein a mechanical connection between the atleast one key storage and the sample carrier device is interrupted.

The separation of the at least one key storage from the sample carrierdevice can be irreversible. In this variant, a predetermined breakingpoint is preferably provided at which the at least one key storage canbe separated from the sample carrier device. Advantageously, theirreversible separation allows for fast and reliable anonymization(“one-way anonymization”) in such a way that the at least one keystorage is separated from the sample carrier device, e.g., interruptedor cut off, and thus eventually damaged in an irreversible fashion. Withthis variant, however, a reversible anonymization can also be achievedif, after the separation of the at least one key storage, additional keydata, e.g. at least one identification key and/or at least one masterkey remains stored in the key storage device. The additional key datacan be used to reconstruct the at least one cryptological key asdescribed below.

Alternatively, a reversible separability can be provided. With thisvariant, the at least one key storage can be attached releasably to astorage holder of the sample carrier device, wherein the storage holderis configured, e.g. for a plug, locking or screw connection of the atleast one key storage to the sample carrier device.

Advantageously, there are no limitations with regard to the type ofstorage of key data in the key storage device. According to preferredvariants of the invention, the at least one key storage can be adaptedfor electronic, optical and/or magnetic storage of the key data.Furthermore, the at least one key storage can be configured for aone-time storage of the key data (read only storage) or for multiplestorages and/or changes to the key data (read-write storage).

If, according to a further preferred embodiment of the invention, thekey storage device is configured for a wireless data connection with areading or read-write device, in particular with the data processingdevice in accordance with the aforementioned second aspect of theinvention, advantages for easy handling of the sample carrier device canresult when storing or reading sample data.

According to a particularly preferred embodiment of the invention, thekey storage device comprises at least one transponder (RFID circuit).The transponder comprises a transponder storage, with which the keystorage is provided, and a resonance structure with which the wirelessdata connection with the read-write or reading device can be realized.Depending on the application of the invention and the design of thesample carrier device, the key storage device can comprise severaltransponders which each provide a key storage and can be readindividually. To realize the aforementioned separability of the at leastone key storage from the sample carrier device, the at least onetransponder can be connected to the sample carrier device via apredetermined breaking point or a storage holder.

The use of a transponder for providing a key storage is not, however,absolutely necessary. Alternatively, the key storage can also berealized by a storage chip, e.g. a FLASH storage device, an opticalstorage device or even by a graphic code, such as a bar or dot code. Incontrast to a storage chip, the transponder has the advantage of anenergy supply integrated via the resonance structure of the transponder.

Although the provision of an individual key storage for receiving the atleast one cryptological key and optional additional key data issufficient for implementing the invention, providing several keystorages can be advantageous for special applications of the invention.For instance, the sample data can have a data structure with differenttypes of sample data (sample data types). The sample data types can eachcomprise e.g. information about the sample source (person-related data,donor data), information about the taking of the sample, informationabout the processing of the sample, information about the measuredcharacteristics (measuring values) of the sample and/or informationabout the storage conditions (temperature profiles or similar). For eachsample data type, a specific cryptological key can be stored in the keystorage device. According to a preferred embodiment of the invention, inthis case, several key storages are provided each of which beingconfigured for saving a cryptological key for one of the sample datatypes. Advantageously, the anonymization can be realized specificallyfor individual sample data types.

Alternatively or additionally, the data storage device can compriseseveral storage areas which are physically separated from each other andare each configured to store one of the sample data types. In this case,each one of the key storages can be assigned to one of the storageareas.

The provision of several key storages can additionally be advantageousfor storing different types of key data (key data types) separately,e.g. the at least one cryptological key or at least one partial key, theat least one identification key and the master key. This embodiment ofthe invention offers advantages with regard to a high level offlexibility when using different methods for anonymization and/orre-identification which are described in the following.

According to a first variant of the method according to the invention,one single cryptological key is stored in the key storage device withwhich the sample data is encrypted or decrypted. For reversible orirreversible anonymization of the sample, it can be provided that thekey storage with the cryptological key correspondingly is separated fromthe sample carrier device for a certain anonymization period orpermanently.

According to a modification of the first variant, differentcryptological keys are stored, preferably in different key storages inthe key storage device which are provided for encrypting differentsample data types and/or different storage areas of the sample datastorage device. For reversible or irreversible anonymization,corresponding key storages with the different cryptological keys can betemporarily or permanently separated from the sample carrier device.

According to a second variant of the method according to the invention,the at least one cryptological key is stored in the key storage deviceand additionally in a key database, which is separate from the samplecarrier device and preferably connected to the data processing device inaccordance with the aforementioned second aspect of the invention.Furthermore, at least one identification key is stored in the keystorage device. The identification key comprises information with whichthe at least one cryptological key is identified in the key database,e.g. a storage address of the cryptological key in the key database.Alternatively or additionally, this information can also be stored inthe data storage device, in particular as a further option forreversible anonymization. This way, the sample is then anonymized atmost reversibly.

The at least one cryptologic key and the at least one identification keyare stored in different key storages of the key storage device. Toanonymize the sample, the at least one cryptological key can first beseparated from the sample carrier device, wherein a temporary orpermanent separation can be provided. In the second variant of themethod according to the invention, the anonymization can also bereversed (re-identification) in the case of permanent separation of theat least one cryptological key from the sample carrier device. To thisend, the at least one cryptological key is read from the key databaseusing the at least one identification key and used for encryption ordecryption of the sample data. If the at least one key storage with theat least one identification key is also separated from the samplecarrier device, the at least one cryptological key in the key databasecan no longer be identified and read. In this case, there-identification is excluded.

Advantageously, the application of the at least one identification keyallows for a sample to be quickly and reliably, reversibly orirreversibly anonymized in such a way that only the at least onecryptological key or both the at least one cryptological key and the atleast one identification key are separated from the sample carrierdevice.

According to a third variant of the method according to the invention,the at least one cryptological key is encrypted with a master key andsaved in the data storage device of the sample carrier device. In thiscase, preferably, the at least one cryptological key is stored in atleast one key storage of the key storage device and at most a part ofthe master key is stored in a further key storage of the key storagedevice. A further part of the master key can be stored in a sourcestorage, which is separated from the sample carrier device, e.g.provided at the site the sample is generated.

In the third variant of the method according to the invention, sampledata encrypting or decrypting with the at least one cryptological keycan be provided in the non-anonymized state. If the at least onecryptological key is removed and the sample thus anonymized, are-identification can be performed in such a way that the encryptedcryptological key can be read from the data storage device and decryptedwith the master key. Subsequently, the decrypted cryptological key canbe used for decrypting the sample data. If a part of the master key isstored separately from the sample carrier device, the re-identificationcan only be realized at the site where the part of the master key isstored. This can be advantageous if certain sample data should only beavailable at the site where the sample was generated, e.g. bloodsampling from a donor.

Even when using the master key, an irreversible anonymization can beachieved by permanently separating the key storage with the part of themaster key from the sample carrier device.

According to a further advantageous embodiment of the sample carrierdevice according to the invention, it can be provided for that each keystorage bears a specific marking. The marking can indicate, for example,the function of the key storage or the type of the key data stored inthe relevant key storage. Alternatively or additionally, the marking canbe comprise an identification for assigning a key storage that has beenremoved with a sample, e.g. a sample identification (sample ID). An IDis necessary for new assignment in particular in case of temporalremoving of the key storage. Alternatively, the sample ID could howeveralso, additionally, be saved in the key storage.

Preferably, a visually perceivable marking, e.g. a color marking or alabel of the key storage is provided. Through visual observation oroptical detection, the key storage that was removed from the samplecarrier device can easily be determined. Thus, it can easily bedetermined whether the sample was reversibly or irreversibly anonymizedand/or which data areas in the data storage device are anonymized.

Further details and advantages of the invention will be described belowwith reference to the attached drawings. The figures show as follows:

FIGS. 1 and 1A: a first embodiment of the sample carrier device and thedata processing device according to the invention;

FIG. 2: features of further embodiments of the sample carrier device andthe data processing device according to the invention;

FIG. 3: a schematic overview of the generation, storage and distributionof samples and sample data;

FIG. 4: a schematic overview representation of the cryptologicalencrypting of sample data provided according to the invention;

FIGS. 5 and 6: flow diagrams for illustrating a first variant of themethod according to the invention and an irreversible anonymization of asample;

FIGS. 7 and 8: flow diagrams for illustrating a second variant of themethod according to the invention and a reversible anonymization of asample;

FIG. 9: a flow diagram for illustrating a re-identification in thevariant in accordance with FIG. 7;

FIGS. 10 and 11: flow diagrams for illustrating a third variant of themethod according to the invention;

FIGS. 12 and 13: flow diagrams for illustrating a reversible and anirreversible anonymization of a sample in the method in accordance withFIG. 11; and

FIG. 14: a flow diagram for illustrating the re-identification in themethod in accordance with FIG. 11.

Preferred embodiments of the invention will be described in thefollowing with exemplary reference to the handling of biological samplesand accosiated sample data when taking, treating and storing, inparticular cryopreservation of the biological samples. It is emphasizedthat the implementation of the invention is not limited to theapplication with biological samples, but is also accordingly possiblewith other samples, e.g. chemical samples or work pieces. The taking,handling and cryopreservation of biological samples are known as suchand will thus not be described individually here. Likewise, samplecarrier devices for combined reception of at least one sample and sampledata are known, so their individual features are not described here.

In the following, first, with reference to FIGS. 1 to 3, features ofpreferred embodiments of a sample carrier device and data processingdevice according to the invention are described. Then, with reference toFIGS. 4 to 14, details of the methods for data processing according tothe invention, in particular for encrypting or decrypting sample data,are described.

-   -   1. Preferred Embodiments of Sample Carrier and Data Processing        Devices According to the Invention

FIG. 1 schematically illustrates a first embodiment of a sample carrierdevice 100 according to the invention, a first embodiment of the dataprocessing device 200 according to the invention and the combinationthereof. In the practical use of the invention, a plurality of samplecarrier devices 100 are provided for receiving biological samples whichcan be coupled with one or more data processing devices 200, e.g. in anarea 300 of the sample generation or an area 400 of the samplepreservation (see FIG. 3).

The sample carrier device 100 comprises the sample receiving device 10and the data storage device 20, which are permanently connected to eachother. The sample receiving device 10 is a closable container, e.g. asample tube with a lid 11, wherein the data storage device 20 ispermanently connected to the bottom of the sample receiving device 10.

The data storage device 20 can alternatively be connected releasably tothe container, e.g. screwed or clipped on. The latter can be anadvantage for adapter solutions in which a standard container is used asa sample receiving device 10 that is placed in a holder on to which asocket with the data storage device 20 is screwed, for example. Thesample tube can be made of a plastic, e.g. polypropylene, in aninjection moulding process, wherein in case of a permanent connectionthe data storage device 20 is connected to the bottom of the sample tubeusing injection moulding. The sample receiving device 10 contains asample space with dimensions of e.g. 5 mm diameter and 10 mm height.Alternatively, several separate sample spaces can be provided.

The data storage device 20 comprises a digital storage chip, e.g. aFLASH-EEPROM (FLASH memory) with an interface 21 via which the dataconnection can be established using the data processing device 200.

In addition to the data storage device 20, the sample carrier device 100comprises a separate key storage device 30 with several key storages 31,32. In the example illustrated, on the outside of the sample carrierdevice 100 or embedded in the outer wall thereof, transponders 37, 38are provided the transponder storages of which provide the key storages31, 32 and which are each equipped with a resonant circuit 34, 35. Thetransponders 37, 38 have e.g. a rod shape as is known from transpondertype HITAG 5256, manufactured by NXP (Netherlands). On the transponder38, a schematic example of an optical marking 38.1 is illustrated whichcan be used to visually or optically determine whether there is atransponder 38 on the sample carrier device 100. Optical markings canalso be provided on the other transponders.

The transponders 37, 38 are connected with the outside of the samplecarrier device 100, e.g. made of plastic. For example, a gluedconnection, a plastic connection between a plastic sheating of thetransponders and the sample carrier device 100 can be established e.g.with an injection moulding process, or a storage holder which isdesigned for a plug, locking or screw connection can be provided. Byusing the glued or plastic connection, preferably a predeterminedbreaking point 12 is created between the transponders 37, 38 and thesample carrier device 100 which is illustrated schematically in FIG. 1Aand which serves for the irreversible removal of one transponder each orat least the associated key storage from the sample carrier device 100.The removal of at least one key storage from the sample carrier device100 allows for an irreversible or reversible anonymization as describedin further detail below.

Due to their different functions, the data storage device and the keystorage device typically have different storage capacities, which areselected for the at least one data storage in the range of e.g. 512kbits to 16 Mbits and for the at least one key storage in the range ofe.g. 128 bits to 256 bits. These values represent examples which canvary depending on the concrete application of the invention and theencrypting requirements. Thus, a minimum size for the data storage canbe viewed in general by a block size (N value) which often correspondswith the key length in a symmetrical process. The size of the datastorage can exceed said interval when using suitable storage chips. Forthe key storage, the limit of 128 bits can be considered the minimum forsymmetrical methods, whereas 2048 bits is currently considered theminimum for asymmetrical methods (e.g. RSA). Currently, keys of up to512 bits are possible for the CAST encryption, and up tot 4096 bits forthe RSA method. However, these limits, in particular with the furthertechnical development, can be expanded upward.

The data processing device 200 comprises a read-write device 210, acryptological processor 220 and optionally, a computing device 250 suchas a computer. Deviating from the illustration, the cryptologicalprocessor 220 can be provided as a part of the computing device 250. Thecryptological processor 220 can particularly be realized by a softwareprogram that is run in the computing device 250.

The read-write device 210 is configured and/or is controlled by thecomponents 220 or 250 to read key data that is stored in the keystorages 31, 32 and/or to save key data in the key storages 31, 32. Thecryptological processor 220 is connected to the read-write device 220and equipped with an interface 221 for a data connection with the datastorage device 20 of a data processing device 200 coupled with thesample carrier device 100. The cryptological processor 220 is configuredfor decrypting and/or encrypting sample data or key data. The computingdevice 250 can be used to control the read-write device 210 and/or thecryptological processor 220 and/or for additional data processing.

In the example illustrated, in which the key storages 31, 32 aredesigned for wireless communication with the data processing device 200,the read-write device 210 contains a schematically illustrated antenna211 with which the transponders 37, 38 can be accessed individually ortogether. The read-write device 210 is configured for a data connectionwith the transponders 37, 38 as is known from conventional transponderor RFID technologies. When operating the antenna 211, in particular keydata can be read from the key storages 31, 32. The read-write device 220can also be designed to write data into the key storages 31, 32 such ase.g. for initial storage of a cryptological key or to change keys.

Deviating from the illustration, wired communication can be providedbetween the key storage device 30 and the data processing device 200. Inaddition, a wired or wireless data connection can be provided betweenthe key storage device 30 and the data storage device 20.

FIG. 2 schematically illustrates features of modified embodiments of thesample carrier device 100 according to the invention, and the dataprocessing device 200 according to the invention and their mutualcombination. According to FIG. 2, the sample carrier device 100 inaccordance with the example of FIG. 1 comprises a sample receivingdevice 10, a data storage device 20 and a key storage device 30. In theexample illustrated, the key storage device 30 comprises threetransponders 37, 38 and 39, whose transponder storages each provide oneof the key storages 31, 32 and 33. The transponders 37, 38 and 39 arepermanently connected to the sample carrier device 100 or releasablyusing a predetermined breaking point or a storage holder, as in theexample of FIG. 1.

The data processing device 200 comprises a read-write device 210, acryptological processor 220 and a key database 230. In addition, as inthe example of FIG. 1, an optional computing device 250, e.g. acomputer, is provided which is connected to the other components of thedata processing device 200.

The example of FIG. 2 is configured for a reversible anonymization ofthe sample data using an identification key and/or a master key.

According to the first variant, the cryptological key for encrypting thesample data is stored in the key storage 31 of the first transponder 37while the key storage 32 of the second transponder 38 contains anidentification key. The cryptological key is also stored in the keydatabase 230. The information is stored using a certain storage positionor using another unique identification, wherein the identification keycontained in the key storage 32 references the storage location or theother identification of the cryptological key stored in the key database230. In this variant, by removing the first transponder 37, a reversibleanonymization can be achieved and by using the identification key in thesecond transponder 38, a re-identification and when also removing thesecond transponder 38, an irreversible anonymization of the sample datacan be achieved as described in more detail below (see FIGS. 7 to 9).

According to the second variant, a part of a master key is stored in thekey storage 33 of the third transponder 39 while a further part of themaster key is stored in a source database 310. The cryptological key isstored in the key storage 31 of the first transponder 37 and, using themaster key, comprising both aforementioned parts, encrypted in the datastorage device 20. By reading the part of the master key stored in thekey storage 33 with the read-write device 210 and the combination ofthis part of the master key with the other part from the source database310, the master key is generated with which the encrypted cryptologicalkey stored in the data storage device 20 can be decrypted. In the secondvariant, it can thus be provided a reversible anonymization by removingthe first transponder 37 with the cryptological key, and are-identification using the master key, and a final, irreversibleanonymization can be achieved by removing the third transponder 39. There-identification is possible in the example illustrated using thesecond part of the master key only by coupling the data processingdevice 200 with the source data storage 310, e.g. at the site where thesample was generated. The two variants with a re-identification usingthe identification key or the master key can furthermore be combined.

If, alternatively, a method without the source data storage 300 wereprovided in which the complete master key is contained in the keystorage 33 of the third transponder 39, additionally a password or thelike would be required to achieve anonymization.

FIG. 3 schematically illustrates the application of the invention whentaking, storing and further handling biological samples. First, a sampleand associated sample data will be saved in a sample carrier device 100in an area 300 of the sample generation. A sample is taken using acommonly known laboratory method, such as e. g. blood sampling or abiopsy from a sample donor, and the transfer of the sample into thesample receiving device 10. With a data processing device 200, e.g. inaccordance with FIG. 1 or 2, sample data are stored in the data storagedevice 20 of the sample carrier device 100. When first receivingsamples, the generation and storage of the cryptological key forencrypting the sample data can be provided (see FIG. 4). Then, thesample carrier device 100 can be stored in an area 400 for preservingthe sample. Provided is, for example, a cryopreservation device 410,e.g. a tank, in which the sample carrier device 100 can be cooled downto a temperature of the liquid nitrogen or the vapor of liquid nitrogen.Depending on the concrete application of the invention, after a storageperiod, the transfer of the sample carrier device 100 to an area 500 forsample processing with one or several work stations can be provided. Inarea 500, the sample can be reversibly anonymized by removing a firstkey storage with the cryptological key (left in area 500) orirreversibly anonymized by removing all key storages (right in area500). In addition, in area 500, using a data processing device 200, itis possible to read and/or complement sample data.

-   -   2. Preferred Embodiments of the Methods According to the        Invention for Processing Sample Data

The generation of the cryptological key, storage of the cryptologicalkey in the key storage device 30 and the encrypting of the sample datais illustrated schematically in FIG. 4.

The generation of a concretely applied cryptological key, e.g. in thedata processing device 200, initially is based on the provision of aencryption system KRYPTO with encrypting functions f_(Ki) for a keyK_(i), optionally with encrypting parameters N₁, . . . N_(n). Theencryption system KRYPTO is preferably a per se known standardencryption system as known from technical literature. It can be based ona symmetrical algorithm (secret key algorithm), e.g. the encryptionsystems DES, AES and CAST, or on an asymmetrical algorithm. Theencryption system and the parameters N_(i) are selected so that theresulting key space contains P keys (preferably exclusively) that can bestored in the key storage. The key resulting from the encryption systemKRYPTO is stored in the key storage of the key storage device 30.Typically, based on the encryption system used, the P keys available inkey space and, if applicable, the parameters N_(i), a key K_(i) to beused is defined that is stored in the key storage device 30 and suppliedto the cryptological processor 220 (see FIGS. 1, 2). Typically, thegeneration of the cryptological key K_(i) is provided at the site of thesample generation e.g. in area 300 (see FIG. 3). The generation of thecryptological key K_(i) is preferably random, i.e. based on a randomselection.

When writing the sample data D_(i) into the data storage device thesample data D_(i) is subject to encryption in the cryptologicalprocessor with the key K_(i), so that the encrypted (secret) sample dataf_(Ki)(D_(i)) is generated.

If several sample data types D₁, . . . D_(n) to be encrypted separately,e.g., different information within the sample data are provided, thescheme in accordance with FIG. 4 is modified so that for each sampledata type, a separate cryptological key K₁, . . . K_(n) is generated andstored in the corresponding key storage and used for encoding thecorresponding sample data types D₁, . . . , D_(n).

The parameters N_(i) can be required for decrypting sample data andstored in a clear text area (clear text header) in the data storagedevice 20.

Due to the short key lengths (≦256 bits currently, e.g. 128, 192 or 256bits, storage capacity of small transponders is usually very limited)and comparatively high attack security in comparison to short keys inasymmetrical systems, the encryption system KRYPTO is preferably basedon a block cipher (block encryption). In a concrete example, the blockcipher CAST with a block length/key length of 128 bits is used. CAST-128is defined in RFC 2144 (http://www.faqs.org/rfcs/rfc2144.html), CAST-256in RFC 2612 (http://tools.ietf.org/html/rfc2612). The known AES cipher(Rijndeal) or Twofish also belong to the block ciphers. Alternatively,other systems can be used, thus, with the help of public/private keysystems, scenarios can be realized in which certain stations can onlywrite data (using the public key) and other stations can read and write(reading requires the private key).

FIGS. 5 and 6 illustrate an embodiment of the method according to theinvention with an irreversible anonymization (one-way anonymization).According to FIG. 5, the generation of the cryptological key (step S51)and storing the cryptological key, e.g. in the key storage 31(transponder storage) of a first transponder 37 in FIG. 1 (step S52), iscarries out firstly. Steps S51 and S52 are typically provided once, e.g.during the initial reception of a sample in the sample carrier device.Depending on the application of the invention, steps S51 and S52 can,however, be repeated during further processing of the sample. It canalso be provided for that at least one additional cryptological key isgenerated in addition to a first cryptological key that is generatedduring the original entry of the sample, e.g. for predetermined sampledata types.

After providing the sample data D_(i) to be stored (step S53), theencryption of the sample data is performed in the cryptologicalprocessor 220 (see FIGS. 1, 2) (step S54). Then, the encrypted sampledata is stored in the data storage device (step S55). As a result, theat least one cryptological key is available in the key storage deviceand the encrypted sample data in the data storage device of the samplecarrier device according to the invention.

To irreversibly anonymize the sample, by permanently preventing futureaccess to certain sample data types, in particular person-related data,the key storage 31 with the cryptological key is removed from the samplecarrier device 100 in accordance with FIG. 6 (step S61). For example,the first transponder 37 which contains the cryptological key is brokenfrom the sample carrier device 100 (see FIG. 1A). Without thetransponder 37, the cryptological key can no longer be read by the dataprocessing device 200 so the sample data in the data storage device 20can no longer be decrypted. The sample is thus anonymized if it istransferred without the first transponder 37.

Features of a modified embodiment of the method according to theinvention for which a reversible anonymization of the sample is providedare illustrated in FIGS. 7 to 9.

According to FIG. 7, a cryptological key is first generated (step S71)that is stored in the key storage 31 (transponder storage) of the firsttransponder 37 in FIG. 1 (step S72) and in a key database 230 (see FIG.2) (step S73). Data that allows the cryptological key to beunambiguously read from the key database 230 and is designated as anidentification key is read from the key database 230 (or generated whenthe key is generated) and stored in the key storage 32 (transponderstorage) of the second transponder 38 (see e.g. FIG. 1) (step S74). Forexample, a continuous line index (generated by the database) or aninternal identifier is used as an identification key, which is then alsogenerated by the data processing device 200 and stored in the keydatabase 230. The identification key comprises, e.g. the informationabout the storage location of the cryptological key in the key database230. As a result, the cryptological key is stored in the firsttransponder 37 and the identification key is stored in the secondtransponder 38.

Subsequently, the sample data provided in step S75 is encrypted (stepS76) and stored as encrypted data in the data storage device 20 of thesample carrier device 100 (see FIG. 1) (step S77).

With the method in accordance with FIG. 7, the sample can be reversiblyanonymized and re-identified as illustrated in FIGS. 8 and 9. Thereversible anonymization first comprises the removal of thecryptological key from the sample carrier device 100. To this end, inaccordance with step S81, the first transponder 37 in the storage ofwhich the cryptological key is stored, is separated from the samplecarrier device 100 (see FIG. 1A). As a result, the sample data stored inthe data storage device 20, in particular person-related data, can nolonger be encrypted so that the samples can no longer be assigned to acertain donor.

If a re-identification of the sample is required, e.g. to add data aboutthe donor, in accordance with FIG. 9, after a test as to whether theidentification key is available in the sample carrier device 100 (stepS91), the cryptological key can be read from the key database 230 usingthe identification key (step S92). After this, sample data that isencrypted with the cryptological key and stored in the data storagedevice 20 can be read (step S93), so that the decrypted sample data areprovided (step S94).

The method according to FIG. 9 correspondingly can be used to query thecryptological key from the key database 230 and for encryptingadditional sample data that is to be stored encrypted in the datastorage device 20. In addition, optionally, after step S92, thecryptological key read from the key database 230 can be stored in afurther key storage device provided at the sample carrier device 100(step S95), in order to be available for additional encryption ordecryption processes.

The method according to FIG. 9 can only be carried out if there is datacommunication with the key database 230. To ensure that there-identification is only performed at the site where the key databaseis physically available, e.g. in a laboratory or a hospital, it ispreferred for the data processing device 200 according to the inventionthat the key database 230 is arranged within the data processing device200 and connected electrically with the read-write device 210 and/or thecryptological processor 220.

A final anonymization (irreversible anonymization) can be realized inthe method in accordance with FIG. 7 in such a way that both thecryptological key and the identification key are removed from the samplecarrier device 100. For example, both transponders 37 and 38, which eachcontain the cryptological key and the identification key can be brokenfrom the sample carrier device 100. In this case, the test at step S91in FIG. 9 yields a negative result so that a re-identification(de-anonymization) is not possible (step S96).

The use of the identification key in accordance with FIGS. 7 to 9 can bemodified so that it is not the original cryptological key, but amodified cryptological key that is stored in the key database 230. Themodified cryptological key can be read using the identification key fromthe key database 230 and used to decrypt sample data that is to be savedthereafter in the data storage device 20.

Features of a further embodiment of the method according to theinvention while using the master key are illustrated in FIGS. 10 to 14.In the illustration, the assumption is made that the master key iscomposed of two partial keys, namely the source partial key and thesample partial key which can only be used together, e.g. at the sitewhere the sample was generated (e.g. area 300 in FIG. 3). Alternatively,a unitary master key can be used that is exclusively available at thesite where the sample was generated.

FIG. 10 illustrates the generation of the source partial key K_(S) inarea 300 of the generation of the sample (step 5101) and storage of thesource partial key K_(S) in the data processing device 200 (step S102).It should be mentioned that in particular with symmetrical methods forgenerating a partial key, a new partial key K_(S) does not have to begenerated every time. For instance, when using block ciphers, K_(S)there can simply be a 64 bit key while the sample partial key can thenbe any other 64 bit key. For encryption and decryption, both are thencombined, e.g. arranged one after the other (see also FIG. 11), to makea 128 bit key.

According to FIG. 11, with the first steps, the generation of thecryptological key K₁ (step S111), the storage of the cryptological keyK₁ (step S112) on the first transponder 37 (see FIG. 1), the provisionof the sample data D_(i) to be secured (step S113), its encryption (stepS114) and its storage (step S115) in the data storage device 20 areshown. These steps are realized like steps S51 to S55 in FIG. 5.

In a further sequence of steps, the generation of the sample partial keyK₂₁ is provided (step S116), which is stored in the second transponder38 (step S117). After providing the source partial key K_(S) (step S118)the cryptological key is encrypted K₁ with a master key p₂, which iscomposed of the sample partial key K₂₁ and the source partial key K_(S)(step S119). The encrypted cryptological key K₁ is stored in the datastorage device 20 of the sample carrier device 100 (step S1110). As aresult, the encrypted sample data (from step S114) and the encryptedcryptological key K₁ (from step 51110) are stored in the data storagedevice 20.

A reversible anonymization of the sample is achieved by removing thefirst transponder 37 with the cryptological key from the sample carrierdevice in accordance with FIG. 12 (step S121). If, however, both thefirst transponder 37 and the second transponder 38 accordingly with thecryptological key K₁ and the sample partial key K₂₁ are separated fromthe sample carrier device 100 (step S131 and S132 in FIG. 13), thesample is irreversibly anonymized. By removing the sample partial keyK₂₁, the encrypted cryptological key stored in the data storage devicecannot be decrypted later so that the encrypted sample data can nolonger be encrypted.

FIG. 14 illustrates the re-identification (de-anonymization) of thesample when using the master key. First, a verification is made whetherthe sample partial key K₂₁ is available on the sample carrier device 100(step S141). Then, the sample partial key K₂₁ is completed by the sourcepartial key K_(S) (step S142). After reading the encrypted cryptologicalkey K₁ from the data storage device (step S143), it is decrypted withthe master key from step S142 so that the original cryptological key isobtained (step S144). Herewith, the sample data from the data storagedevice 20 is decrypted (step S145) and made available as decryptedsample data (step S146).

If the sample partial key K₂₁ has been removed from the sample carrierdevice 100, the test in step S141 has a negative result so thatde-anonymization is excluded (S147).

If the master key uniformly exclusively consists of the source partialkey, generating the master key as in step S142 can be omitted. In thiscase, the encrypted cryptological key is decrypted at the location ofthe source partial key, e.g. in the area of the sample generation (seeFIG. 3).

The aforementioned methods can refer to the entire sample data or a partof it, in particular certain sample data types. In addition, the methodscan be realized with several cryptological keys which are based ondifferent data areas in the data storage device 20 that are to beprotected.

In summary, the advantages of the invention can be seen in the fact thatthe supplementation of a sample carrier device with a key-basedauthentication, in particular with transponders, allows a number ofapplications when generating and handling samples, in particularbiological samples. The anonymization of the samples represents a per secomplex process that, according to the invention, can be realized by asingle, simple step, e.g interrupting the transponder from the samplecarrier device. By later reassigning the transponder to the samplecarrier device or using a reversible concept, however, access to thedata can be restored if necessary.

The features of the invention disclosed in the previous description, thedrawings and the claims can be significant individually as well as incombination for the realization of the invention in its differentembodiments.

1-23. (canceled)
 24. A sample carrier device, comprising: a samplereceiving device, which is adapted for receiving at least one sample, adata storage device, which is adapted for storing sample data, whichrelate to the at least one sample, and a key storage device with atleast one key storage, in which the key storage device is adapted forstorage of key data in the at least one key storage.
 25. The samplecarrier device according to claim 24, which is adapted for receivingbiological samples.
 26. The sample carrier device according to claim 24,wherein at least one key storage of the key storage device is separablefrom the sample carrier device.
 27. The sample carrier device accordingto claim 24, wherein the at least one key storage is adapted for atleast one of electronic, optical and magnetic storage of the key data.28. The sample carrier device according to claim 24, wherein the keystorage device is adapted for wireless communication with a dataprocessing device.
 29. The sample carrier device according to claim 24,wherein the key storage device comprises at least one transponder. 30.The sample carrier device according to claim 24, wherein the datastorage device is adapted for storage of different data types, and thekey storage device comprises a plurality of key storages, which areadapted for storage of respectively different key data for respectivelyone of the data types.
 31. The sample carrier device according to claim30, wherein the data storage device comprises a plurality of storageareas, which are adapted for storage of respectively one of the datatypes, and each of the key storages is assigned to one of the storageareas, respectively.
 32. The sample carrier device according to claim24, wherein each key storage of the key storage device carries aspecific mark.
 33. The sample carrier device according to claim 32,wherein the specific mark is an optical mark.
 34. A data processingdevice, which is adapted for coupling with one sample carrier deviceaccording to claim 24, comprising: a read-write device for at least oneof writing and reading the key data into or out of the key storagedevice of the sample carrier device, and a cryptologic processor, whichis connected to the read-write device and is adapted for at least one ofdecryption and encryption of sample data.
 35. The data processing deviceaccording to claim 34, which comprises a key database, which is adaptedfor storage of the key data.
 36. A method for processing sample data,wherein the sample carrier device according to claim 24 is used,comprising the steps: encryption of the sample data with at least onecryptologic key, which is saved in the key storage device, and storageof the encrypted sample data in the data storage device of the samplecarrier device.
 37. The method according to claim 36, further comprisingthe steps: encryption of different data types of the sample data with,respectively, different cryptologic keys, and storage of the encrypted,different data types of the sample data in the data storage device. 38.The method according to claim 36, further comprising the steps: storageof the at least one cryptologic key in the key storage device andadditionally in a key database, and storage of at least oneidentification key in the key storage device, which identifies the atleast one cryptologic key in the key database, wherein the at least onecryptologic key and the at least one identification key are saved indifferent key storages of the key storage device.
 39. The methodaccording to claim 38, further comprising the steps: reading of the atleast one cryptologic key from the key storage device or from the keydatabase, and decryption and reading of the encrypted sample data saved.40. The method according to claim 36, further comprising the steps:encryption of the at least one cryptologic key with a master key, andstorage of the at least one encrypted cryptologic key in the datastorage device.
 41. The method according to claim 40, further comprisingthe step of storage of at most a part of the master key in the keystorage device.
 42. The method according to claim 40, further comprisingthe step of storage of at least one part of the master key in a sourcestorage, which is provided for in a region of generation of the sample.43. The method according to claim 40, further comprising the steps:reading of the at least one encrypted cryptologic key from the datastorage device, decryption of the at least one encrypted cryptologic keywith the master key, and decryption and reading of the encrypted sampledata saved.
 44. The method according to claim 36, further comprising thestep of anonymization of the saved encrypted sample data by separating akey storage, in which the cryptologic key is saved, from the samplecarrier device.
 45. The method according to claim 36, further comprisingthe step of anonymization of the saved encrypted sample data byseparating at least one key storage, in which at least one of theidentification key and the part of the master key is saved, from thesample carrier device.
 46. The method according to claim 36, furthercomprising the step of wireless transmission of at least one of thecryptologic key, the identification key and the master key from the keystorage device to a reading device, which is provided for reading thekey data.
 47. A method for authentication of a sample carrier deviceaccording to claim 24, further comprising the steps: coupling the samplecarrier device with a reading apparatus of a workstation in a region forsample processing, read-out of the key data from the sample carrierdevice with the reading apparatus, and establishing the identity of atleast one of the sample carrier device and the workstation using the keydata.
 48. The method according to claim 47, wherein the key datacomprise a signature key, wherein a sample source signs the sample in aregion of sample generation with a private key that is known only to thesample source and the signature can be verified with a public key.